Khalil, a Palestinian white hat hacker, submitted bug reports to Facebook about a vulnerability that allowed him to post on anyone's wall. But Facebook's security team didn't do anything. So Khalil wrote on Mark Zuckerberg's wall about it and was generally a badarse.

Khalil explains on his blog that he submitted a full description of the bug, plus follow-up proof of its existence to the Facebook security feedback page, where researchers can win rewards of at least $US500 for finding significant vulnerabilities. Then he submitted again. The second time he got an e-mail back that said, "I am sorry this is not a bug."

When he posted on Zuckerberg's wall, Khalil said, "First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team ." He then detailed the situation and provided links.

Within minutes, a Facebook engineer contacted Khalil for more information and then blocked his account "as a precaution" while a security team fixed the bug. Later his account was re-enabled. But Facebook says that he cannot claim a reward for the find because in hacking Zuck's wall he violated Facebook's terms of service.

They commented that, "exploiting bugs to impact real users is not acceptable behaviour for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent." Facebook admits, though, that its team should have been more diligent in following up on Khalil's submission. So. Cool. Problem solved. [Khalil, RT, The Verge]

Comments

this is precisely why i don' use social media of any type, its intrusive on your privacy the second you sign up, data is gathered and very probably sold not shared to who ever is willing to pay for it and then they have the arrogance to firstly ignore then disrespect someone who is trying hes best. what a bunch of fucking clowns.....

I think they should pay the $500 for the bug and another $4500 with a formal apology for accusing him of "hacking" zuck's wall...

1. The second time he got an e-mail back that said, “I am sorry this is not a bug.”

2. But Facebook says that he cannot claim a reward for the find because in hacking Zuck’s wall he violated Facebook’s terms of service.

If the facebook team did not recognise this as a bug, wouldn't this disprove the latter statement? If it's not a bug, then that would imply that it's functioning correctly... Yet if it's functioning correctly, how could he be "exploiting" it? Facebook should be giving a formal apology to ALL users for implying that a vulnerability to their privacy was overlooked despite multiple reports!

Within minutes, a Facebook engineer contacted Khalil for more information and then blocked his account “as a precaution” while a security team fixed the bug. Later his account was re-enabled. But Facebook says that he cannot claim a reward for the find because in hacking Zuck’s wall he violated Facebook’s terms of service.

How can they claim that it is against their terms of service. They said it wasn't a bug which meant that he wasn't exploiting a bug to do something he was using something they acknowledged as a feature

Just goes to show why white hat hackers shouldnt help douchebag company's like Facebook, even if it is for $5K. The sooner I see the demise of such orgs, the better. How cheap of them for not paying him and claiming it to be an abuse of the terms of service. I bet that reward didnt include any mention of "your bug report needs to be in line with terms of use" and have just put that up as a wall to prevent him from claiming.

So the moral of the story: If you find a bug, tell them what it allows you to do, but not how you do it. If they're not interested, sell it to someone else.
If they are interested, then tell them, but only after they agree that doing something like that is a bug. Else, sell it to someone else.

It's a dog eat dog world. If they aren't willing to cough up the funds for people who are trying to help, I have no qualms about them turning if over to someone else, because that happens everyday anyway. Though I would simply say that I was going to give it to someone else and see if they react....might need to do that from a dummy account though.

Facebook should be totally paying him a reward, for 2 simple reasons...
1) Next time some-one finds a bug there will be no incentive to 'do the right thing'.
2) It's bad business practice for Facebook to punish a customer, for the mistakes it's staff have made, particularly when the customer has gone out of his way to help a complete stranger. Mr Zuck dont be a lame ass, show your gratitude, you can sure as hell afford it.

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

TPG currently stands as the second largest internet service provider (ISP) in Australia, and is a force to be reckoned with in the telecommunications industry. Its rapid growth is mainly attributed to strategic acquisitions it has made in recent years. One of those acquisitions was iiNet, an ISP that boasted high customer satisfaction and respect in the community.
A year after TPG bought iiNet, the situation looks bleak for the ISP that was once the darling of the telco industry. Most recently, iiNet's Sydney office was shut down, most of its staff made redundant. We spoke to one former iiNet employee to get the insider story on the aftermath of the TPG acquisition. We also spoke with iiNet, to get its side of the story.

Consider the humble light globe. It hides in your ceiling, turning electricity into light, but little do you know how inefficiently it's doing that. Halogen light bulbs aren't great, but traditional incandescents are downright terrible. Ikea says that the average Aussie household could save nearly $150 a year by switching its lighting to LEDs.